Hackers Demand Multi-Million Dollar Ransom From Hollywood Hospital Following Cyber-Attack: Hospital Record System Out of Commission for Over a Week (Part 1 of 2)

Thursday, February 18, 2016

By George F. Indest IV, Director of System Services, The Health Law Firm,andGeorge F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

(Part 1 of a 2 part blog)

For more than a week, the computer systems at Hollywood Presbyterian Medical Center have been offline following a cyber-attack. The hospital has, apparently, also been locked out of all access to patient electronic health records (EHR). The unknown hackers are demanding a $3.6 million ransom to release the data. The hackers are demanding payment in Bitcoins, which will be untraceable if paid.

"Ransomware" Used

The attack reportedly started on February 12, 2016, and hackers used “ransomware” to infect the hospital’s computer systems. Ransomware is a type of malware that restricts access to the infected computer system and demands that the user pay a ransom to the malware operators to remove the restriction. Often ransomware will threaten to completely delete all data if payment is not made by a certain date.

Those hackers that use ransomware are thieves and extortionists. They properly may be called "cyber-terrorists." What they do is clearly serious criminal activity. However, they are able to remain anonymous by operating out of foreign countries where government authorities are not interested in pursuing them. They stay anonymous by operating through many levels of proxy servers around the world and using false Internet Protocol (IP) addresses. Although the sophisticated supercomputers used by our counter-intelligence agencies could probably rapidly locate the site of such attacks, until now, they have not been as serious as the one on the hospital. Even if they did, the cooperation of local law enforcement authorities might be questionable.

Ransomware and cyber-attacks are a growing menace, but when a hospital is targeted the consequences can be much more serious than the small businesses that are usually attacked.

Hackers Demand $3.6 Million in Bitcoins.

The ransomware affected the hospital’s information technology (IT) network and essentially shut down all of its systems. The hackers are holding the systems hostage until the ransom amount of $3.6 million is paid, which will then release the “electronic keys” which will supposedly unlock the stolen data on the computer system. The hackers demanded the ransom amount to be paid in Bitcoins, which is an electronic payment system that is not traceable.

According to reports, the hospital's staff has been redirecting emergency patients to other hospitals following the ransomware attack. The staff has resorted to using pen and paper to record patient information and sending telefaxes instead of e-mails to communicate with other departments. Patients are being required to come pick up medical records or go to outlying labs and diagnostic testing facilities to pick up paper copies of lab reports in person.

Some departments in the hospital have been affected as well because of this. Computers are crucial for medical equipment and because of the attack, the hospital’s Radiation and Oncology departments have been completely shut down. This has disrupted cancer treatments for patients.

Despite publicly confirming the attack on patient’s medical data and having declared an emergency, the hospital has not commented on the hacker’s ransom demand.

To read a prior blog we published on cyber-attacks on the health care industry, click here.

Part 2: Measures to Take to Prevent Similar Events

In Part 2 of this blog, which we will publish in the near future, we will discuss measures that hospitals and other healthcare institutions should take to prevent similar events from disrupting their operations.

The Health Law Firm routinely represents physicians, pharmacists, pharmacies, optometrists, nurses, health facilities, healthcare related businesses, and other health providers in investigations, regulatory matters, licensing issues, civil and administrative litigation, defense of HIPAA complaints and violations, regulatory matters, inspections and audits involving the Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Department of Health (DOH), matters involving the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), the Agency for Health Care Administration (AHCA), and other regulatory and law enforcement agencies. Its attorneys include those who are board certified by The Florida Bar in Health Law as well as licensed health professionals who are also attorneys.

About the Authors: George F. Indest IV, is a computer systems scientist and is the Director of Systems Services at The Health Law Firm in Orlando, Florida. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm. The Health Law Firm has a national practice. Visit our website at: www.TheHealthLawFirm.com. The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, FL 32714, Telephone: (407) 331-6620.

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.